The easiest way to prevent SQL injection
Well you can prevent people from being able to update or insert in the database, don’t give the user all access for your crappy code. You could put the users in a different database. That may or may not work, as the user part of your code would have to be secure.
I just deleted my email and the password from my users table for the old site, so if somebody hacks /new/, they won’t get much. Using PDO->quote() might be enough.
I can’t delete my user, or drop the table, thanks to the foreign key, which I’m to lazy to delete.
You could make your code super paranoid. Verification might help. Make sure it’s a number.